If the user is not logged into the vulnerable site, the attacker can compensate by asking the user to log in and then displaying the legitimate login page for the application. This is not a phishing attack—the attacker does not gain access to the user's credentials—so anti-phishing
countermeasures will not be able to defeat the attack.
As I previously blogged,I think the overarching theme is that Web 2.0 brings new ways to integrate apps and data together, but it brings no new security mechanisms, so this guarantees security issues such as the above.
Upcoming public SOA, Web Services, and XML Security training by Gunnar Peterson, Arctec Group
- NYC (April 19), Unatek Web Services (May), OWASP App Sec Europe (May), Helsinki (June), DC/Baltimore (July 19).